Compliant Product - Forescout v8.1
Certificate Date: 2020.03.16CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11008-2020
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
The Forescout is a network device that enables network access control, threat protection, and compliance of the entire enterprise based on network security policies. The Forescout type is justified because the Forescout provides an infrastructure role in internetworking of different network environments across an enterprise.
The TOE is Forescout that runs the Forescout software version 8.1.
In its evaluated configuration, the TOE is configured to directly communicate with the following environment components:
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Forescout was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Forescout Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in March 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID11008-2020 prepared by CCEVS.
The TOE contains mechanisms to generate audit data to record predefined events on the TOE. The audit logs are stored in an internal database on the TOE’s local hard drive. An authorized administrator has the ability to enable/disable the forwarding of events to a syslog server. In the evaluated configuration, the audit data is also securely transmitted to the syslog server using a TLS v1.2 communication channel.
The TOE provides cryptography in support of SSH and TLS (v1.2) trusted communications. Two different cryptography software packages are included with the TOE: Bouncy Castle and OpenSSL. Bouncy Castle uses a hash DRBG and OpenSSL uses a CTR DRBG to provide the random bit generation services with 256 bits of entropy. OpenSSL provides all RSA key generation and is implemented in accordance with FIPS 186-4. Both OpenSSL and Bouncy Castle provide RSA key establishment and is implemented in accordance with RSAES-PKCS1-v1_5. OpenSSL provides Diffie-Hellman group 14 (FFC) key generation is implemented in accordance with RFC 3526, Section 3 and Diffie-Hellman group 14 key establishment is implemented in accordance with RFC 3526, Section 3. Keys are destroyed when no longer used. AES (CBC and GCM), SHA, HMAC, RSA are all used by the TOE for encryption, hashing, message authentication and digital signatures, respectively. The cryptographic implementation has been validated to ensure that the algorithms are appropriately strong for use in trusted communications: OpenSSL: C933 and Bouncy Castle: C944.
Identification and Authentication
The TSF provides a configurable number of maximum consecutive authentication failures that are permitted by a user. Once this number has been met, the account is locked for a configurable time interval or until the Security Administrator manually unlocks the account.
The TOE provides local password authentication as well as providing the ability to securely connect to an Active Directory server for the authentication of users. Communications over this interface is secured using TLS in which the TOE is acting as a client. The TOE enforces X.509 the use of certificates to support authentication for TLS connections. The only function available to an unauthenticated user is the ability to acknowledge a warning banner. Passwords that are maintained by the TSF can be composed of upper case, lower case, numbers and special characters. The Security Administrator can define the password length between 15 and 30 characters.
The TOE can be administered locally and remotely and uses role-based access control to prevent unauthorized management. The TOE enforces role-based access control (RBAC) to prevent/allow access to TSF data and functionality. The TOE has one pre-defined role: “Admin”. The user permissions for the “Admin” role cannot be modified or customized. A user assigned the “Admin” role is the TOE administrator (Security Administrator) and has access to all Console tools and features. All other users that do not have the full set of administrative permissions are categorized as a “Console User”. A Console User’s set of permissions are set during creation and can be customized by adding and subtracting specific permissions to allow/disallow the user TOE functionality.
Protection of the TSF
The TOE is expected to ensure the security and integrity of all data that is stored locally and accessed remotely. Passwords are not stored in plaintext. The cryptographic module prevents the unauthorized disclosure of secret cryptographic data. The TOE does not support automatic updates. An administrator has the ability to query the TOE for the currently executing version the TOE software and is required to manually initiate the update process from the Console. The TOE automatically verifies the digital signature of the software update prior to installation. If the digital signature is found to be invalid for any reason the update is not installed. If the signature is deemed invalid, the administrator will be provided a warning banner and allow an administrator to continue with the installation or abort. There is no means for an administrative override to continue the installation if the signature is completely missing. The TOE implements a self-testing mechanism that is automatically executed during the initial start-up and can be manually initiated by an administrator after authentication, to verify the correct operation of product and cryptographic modules. The TOE provides its own time via its internal clock.
The TOE displays a configurable warning banner prior to its use. Inactive sessions will be terminated after an administrator-configurable time period. Users are allowed to terminate their own interactive session. Once a remote session has been terminated the TOE requires the user to re-authenticate to establish a new session. Local and remote sessions are terminated after the administrator configured inactivity time limit is reached.
Users can access a CLI for administration functions remotely via SSH (remote console) or a local physical connection (local console) to the TOE. The TOE provides the SSH server functionality. The Console is the main administrator interface, which is running on a separate Windows PC and requires the use of TLS to communicate with the TOE.
The TOE acts as a TLS client to initiate the following secure paths to
• User Authentication (Active Directory)
• Auditing (Syslog)
The TOE acts as a TLS server and receives requests to establish the following secure paths from:
• Forescout Console